Andrew Sullivan <andrew@libertyrms.info> writes:
> I guess I'm dumb, but I'm not seeing how these environment variables
> are a big security risk.
The trouble with relying on environment variables for paths (especially
paths to places that we might scribble on) is that the postmaster has
no idea which strings in its environment were actually intended for that
use, and which were not.
As an example, the postmaster very likely has $HOME in its environment.
This means that anyone with createdb privilege can try to create a
database in the postgres user's home directory. It's relatively
harmless (since what will actually get mkdir'd is some name like
/home/postgres/base/173918, which likely can't overwrite anything
interesting) but it's still not a good idea.
$PWD would be another likely attack point, and possibly one could do
something with $PATH, not to mention any custom environment variables
that might happen to exist in the local environment.
If we add more environment-variable-dependent mechanisms to allow more
different things to be done, we increase substantially the odds of
creating an exploitable security hole.
> In any case, it'd be a _very good_ thing to have a tablespace-like
> facility.
Absolutely. But let's not drive it off environment variables.
A config file is far safer.
regards, tom lane